Skip to content

Commit ba10ec0

Browse files
aeneasrory-bot
aeneasr
authored and
ory-bot
committed
fix(talos): prevent key leaks in logs, dropped audit events, and validation gaps
GitOrigin-RevId: e15f4ceab9746e63cd1abf5ed1571102c69f28e6
1 parent e35476f commit ba10ec0

1 file changed

Lines changed: 18 additions & 7 deletions

File tree

oryx/fetcher/fetcher.go

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,17 @@ func newOpts() *opts {
8383

8484
type Modifier func(*opts)
8585

86+
// redactedSource returns a safe representation of the source for use in error
87+
// messages. base64:// sources embed the full payload (which may contain
88+
// secrets such as private keys) and are therefore redacted; all other sources
89+
// are returned unchanged.
90+
func redactedSource(source string) string {
91+
if strings.HasPrefix(source, "base64://") {
92+
return "base64://[redacted]"
93+
}
94+
return source
95+
}
96+
8697
// NewFetcher creates a new fetcher instance.
8798
func NewFetcher(opts ...Modifier) *Fetcher {
8899
o := newOpts()
@@ -108,25 +119,25 @@ func (f *Fetcher) FetchBytes(ctx context.Context, source string) ([]byte, error)
108119
if !slices.ContainsFunc(f.schemes, func(scheme string) bool {
109120
return strings.HasPrefix(source, scheme+"://")
110121
}) {
111-
return nil, errors.WithStack(fmt.Errorf("%w: in source %q: allowed schemes: %s", ErrUnknownScheme, source, strings.Join(f.schemes, ", ")))
122+
return nil, errors.WithStack(fmt.Errorf("%w: in source %q: allowed schemes: %s", ErrUnknownScheme, redactedSource(source), strings.Join(f.schemes, ", ")))
112123
}
113124
switch {
114125
case strings.HasPrefix(source, "http://"), strings.HasPrefix(source, "https://"):
115126
return f.fetchRemote(ctx, source)
116127
case strings.HasPrefix(source, "file://"):
117128
b, err := os.ReadFile(strings.TrimPrefix(source, "file://"))
118129
if err != nil {
119-
return nil, errors.Wrapf(err, "read file: %s", source)
130+
return nil, errors.Wrapf(err, "read file: %s", redactedSource(source))
120131
}
121132
return b, nil
122133
case strings.HasPrefix(source, "base64://"):
123134
src, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(source, "base64://"))
124135
if err != nil {
125-
return nil, errors.Wrapf(err, "base64decode: %s", source)
136+
return nil, errors.Wrapf(err, "base64decode: %s", redactedSource(source))
126137
}
127138
return src, nil
128139
default:
129-
return nil, errors.Wrap(ErrUnknownScheme, "unknown scheme in source: "+source)
140+
return nil, errors.Wrap(ErrUnknownScheme, "unknown scheme in source: "+redactedSource(source))
130141
}
131142
}
132143

@@ -149,16 +160,16 @@ func (f *Fetcher) fetchRemote(ctx context.Context, source string) (b []byte, err
149160

150161
req, err := retryablehttp.NewRequestWithContext(ctx, http.MethodGet, source, nil)
151162
if err != nil {
152-
return nil, errors.Wrapf(err, "new request: %s", source)
163+
return nil, errors.Wrapf(err, "new request: %s", redactedSource(source))
153164
}
154165
res, err := f.hc.Do(req)
155166
if err != nil {
156-
return nil, errors.Wrap(err, source)
167+
return nil, errors.Wrap(err, redactedSource(source))
157168
}
158169
defer res.Body.Close()
159170

160171
if res.StatusCode != http.StatusOK {
161-
return nil, errors.Errorf("expected http response status code 200 but got %d when fetching: %s", res.StatusCode, source)
172+
return nil, errors.Errorf("expected http response status code 200 but got %d when fetching: %s", res.StatusCode, redactedSource(source))
162173
}
163174

164175
if f.limit > 0 {

0 commit comments

Comments
 (0)